Interview: The Investigatory Powers Bill and UK privacy

Jonathan Parker-Bray, CEO of Criptyque, makers of encryption app Pryvate, talks to us about mobile security and encryption, in the wake of the Government’s proposed Investigatory Powers Bill.

What do you think are the major security threats businesses need to be aware of in 2016?

In 2016 the sophistication of cyberattack techniques deployed by cybercriminals will continue to evolve. Businesses need to ensure they are prepared and equal to it. We’re already seeing increasing numbers of attacks targeting mobile devices, as mobile phones and tablets are inherently less secure than laptops and desktop computers. The compromising of business critical communications, whether it is due to cyberespionage or by predatory cybercriminals, is one of the greatest threats businesses face and could inhibit a company’s competitive edge.

How do you feel about the Government’s proposed Investigative Powers Bill?

The Investigatory Powers Bill does not take into account citizens’ and businesses’ fundamental right to privacy. Where matters of national security are concerned, we are fully behind any government proposal to protect its citizens. However, this should not extend to such a level where law abiding citizens no longer have the right to their own privacy.

We believe that everyone has the right to choose whether or not to keep their communications private and protect themselves from cybercrime and surveillance, and use whatever encryption tools are at their disposal to achieve such ends.

Whilst we would agree strongly that there does need to be an updating and an expansion of legislation to account for the digital age, this should not override the hard-fought right to privacy that is owned by every citizen in the UK. Threat actors will always find nefarious ways of using good intentioned technology for their own means, and this law is a potential licence for the invasion of the right to privacy on a scale this country cannot allow.

What are the potential implications of the bill?

This bill could potentially see civil liberties turned on their head, and everyone’s personal online lives – though conducted in the privacy of their own home – available for official scrutiny without a clear rationale or justification. Everything from family photos, medical records, confidential business transactions, and legal communications could be exposed at a whim.

The potential impact on businesses is hard to gauge but the threat of companies in the technology sector moving their headquarters to a new country is a real concern, and the potentially inadequate protection for online services is valid.

Why are so many companies so opposed to the notion of banning encryption?

Banning or weakening encryption poses major issues to companies of all sizes. The Government’s proposal, whereby providers can decrypt secure communications, would make communications services deliberately less secure than they are designed to be.

This not only has the potential to open up more consumers to having their data stolen, it also puts more businesses at threat of losing data and facing legal action and fines – through no fault of their own. In an age where cybercrime sophistication is exponentially on the increase, weakening encryption is simply completely the wrong way to go.

There are further economic threats from this proposal too. In this highly competitive corporate world, the obvious choice for customers looking for a secure solution would be to switch to a competitor based overseas that does not weaken their systems in a similar fashion. This poses yet another problem for businesses in the UK.

Is there an alternative to the Government’s proposal?

Rather than weakening encryption, which will harm secure communications for the public and businesses by creating a backdoor that allows the content to be decrypted, what is needed is a national Internet-device database which keeps a record of the purchaser or owner of every Internet-enabled device. This would also include legislation on the supply of these devices, which requires purchasers and re-sellers to record the ID of the purchaser and forces mobile operators/ISPs to require a licence number before providing connectivity services.

A mobile phone, tablet or laptop has the power to send a message to anyone anywhere in the world, and it is possible to find the originating device. It is perfectly reasonable for the police to be able to track who sent it, or who is talking to whom, but the answer isn’t access to the content en masse, it is better knowledge of the devices themselves. This proposed solution would enable tracking and group chat identification and is surely a much stronger and more robust solution than attempting to monitor the masses when in fact it’s the few that need this level of control.

By using this data, law enforcement would be able to obtain the paper trail they are hoping for, and draw connections when persons of interest communicate. It would also remove the capabilities for terrorists and criminal gangs to use burner phones and communicate freely over the telephone.

How prepared do you believe businesses are for mobile security threats in particular?

Businesses are largely underprepared for protecting their valuable data from mobile security threats. Their keenness to embrace the move towards mobile first often sees them underestimate and lack investment in mobile security.

The use of personal devices in the work environment is now commonplace, yet many businesses still fail to have effective flexible working or BYOD policies in place. The growth of the Internet of Things is only going to create wider problems for businesses looking to secure corporate devices.

Further exacerbating this problem is that the amount of malware in existence and being targeted towards mobile devices is widespread. The implications of this could be vast and it’s only a matter of time before a major data breach is caused by cybercriminals hacking a mobile device.

What steps can people take to secure their mobile devices?

In this digital age, private communications should be a fundamental right, whereby consumers and professionals alike can communicate with whomever they choose as securely as if they were speaking to them face-to-face or by a postal letter. Time and time again security tests have shown that end-to-end security is the only way to prevent cybercriminals, intruders, corporate espionage, hackers, rogue nation states and more from violating the privacy of individuals.

In a mobile society where companies work across the globe, families are separated by oceans, and sensitive information like medical records and bank details are communicated digitally daily, the need for an absolutely secure end-to-end encryption solution is paramount.

The personal right to privacy is the status quo in the UK but this has slipped in recent years as more communications have turned digital, but end-to-end encryption solutions seek to return us to that point.

How does encryption work in theory?

The purpose of encryption is to keep digital data, which could be stored on mobile devices, computers or online, secure and confidential. Indeed, the word encryption comes from the Greek word kryptos, meaning hidden or secret.

Encryption had largely only been used by governments and armed forces until the emergence of the Diffie-Hellman key exchange and RSA algorithms. This led to broader use of encryption to protect data when sending information across a network or stored on consumer products like hard drives, smartphones and SIM cards. Not only that, it’s also used whenever someone uses an ATM or presses a key fob to unlock their car to protect the information that is communicated. So it’s become a vital part of our everyday lives.

The rapid rise in sophistication of techniques deployed by cybercriminals means that encryption has to keep on evolving too. We’re now seeing security systems that deploy 4096-bit encryption, which researchers have estimated would take over 1,000 years to crack. Furthermore, our Pryvate encryption app uses keys that are only shared between users’ devices to authorise their communications which are never known, even to us. These keys are kept encrypted in a secure cloud that can only be accessed when a user validates they are who they say are – meaning even if an organisation like the NSA wanted to get to them, they couldn’t. The technology also notifies users if there is any attempted attack on their privacy, giving them confidence their communications are as secure as possible.

How can companies modify their business models to meet the growing trend of employees working on the move?

Modern day business is seeing trends towards not only flexible working, but also international travel between companies, partners, customers, suppliers or distributors. Businesses must be more aware of the security threats that accompany this to measure the risks of allowing their employees to work flexibly in the UK or internationally and look for solutions to minimise that risk.

The transfer of documents to employees’ personal devices, emailing information to externally hosted email accounts, and exchanging data and information via online communication tools such as Instant Messenger are all typical business practices for working remotely. For any security conscious organisation, this scenario is a nightmare as it poses a number of threats to document and data security. For example, 40 to 50 per cent of emails sent between Gmail and other email providers aren’t encrypted, according to Google’s own Transparency Report.

Companies must ensure that their communications are secured through the use of end-to-end encrypted communications systems. These solutions encrypt phone calls, messages, emails and video calls to ensure they cannot be intercepted by an opportunistic hacker or nation state. Without this added layer of protection, a malicious actor could relatively easily hack the employees’ home network, deploy a fake phone mast in proximity to their house and use this to eavesdrop on all communications that employee sends.

Businesses that are dealing with particularly sensitive data should also deploy secure file transfer technology, and further add to the protection that employees have, whilst also pairing this with mandatory anti-virus software. Many companies avoid these solutions as they worry that they will be overly complex and employees will just ignore them in favour of easier solutions. However, more and more of these solutions, whilst remaining totally secure on the back-end, have been optimised with user experience and functionality in mind.